Abstract
This paper describes a cloud-scale encryption system. It discusses the constraints that shaped the design of Amazon Web Services’ Key Management Service, and in particular, the challenges that arise from using a standard mode of operation such as AES-GCM while safely supporting huge amounts of encrypted data that is (simultaneously) generated and consumed by a huge number of users employing different keys. We describe a new derived-key mode that is designed for this multi-user-multi-key scenario typical at the cloud scale. Analyzing the resulting security bounds of this model illustrates its applicability for our setting. This mode is already deployed as the default mode of operation for the AWS key management service.
Original language | English |
---|---|
Article number | 23 |
Pages (from-to) | 1-16 |
Number of pages | 16 |
Journal | Cryptography |
Volume | 3 |
Issue number | 3 |
DOIs | |
State | Published - Sep 2019 |
Bibliographical note
Publisher Copyright:© 2019 by the authors. Licensee MDPI, Basel, Switzerland.
Keywords
- AES-GCM
- Cloud computing
- Key management
ASJC Scopus subject areas
- Computational Theory and Mathematics
- Computer Networks and Communications
- Computer Science Applications
- Software
- Applied Mathematics